Virtual Private Networks (VPNs)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Virtual Private Networks (VPNs)"

Transcription

1 CHAPTER 19 Virtual Private Networks (VPNs) Virtual private network is defined as customer connectivity deployed on a shared infrastructure with the same policies as a private network. The shared infrastructure can leverage a service provider IP, Frame Relay, or ATM backbone, or the Internet. There are three types of VPNs, which align with how businesses and organizations use VPNs Access VPN Provides remote access to a corporate intranet or extranet over a shared infrastructure with the same policies as a private network. Access VPNs enable users to access corporate resources whenever, wherever, and however they require. Access VPNs encompass analog, dial, ISDN, Digital Subscriber Line (DSL), mobile IP, and cable technologies to securely connect mobile users, telecommuters, or branch offices. Intranet VPN Links corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, quality of service (QoS), manageability, and reliability. Extranet VPN Links customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, QoS, manageability, and reliability. Figure 19-1 This figure provides a logical topology view of a VPN. IP Network Internet /IP/FR/ATM VPN Headquarters Home Office Branch Office Telecommuter Virtual Private Networks (VPNs) 19-1

2 Cisco Systems VPNs Cisco Systems VPNs Currently there are no standards outlining the software and hardware components of a VPN. Every vendor that provides a VPN service performs it in a method that is best supported by its own hardware platforms and software applications. The following sections of this chapter discuss the Cisco Systems implementation of VPN services. The Cisco Systems VPN Design Cisco s end-to-end hardware and Cisco IOS software networking products provide sophisticated security for sensitive private transmissions over the public infrastructure, QoS through traffic differentiation, reliability for mission-critical applications, scalability for supporting large bandwidth of data, and comprehensive network management to enable a complete access VPN solution. The following sections discuss how Cisco network access servers (NASs) and routers with Cisco IOS software provide new functionality with virtual dialup services. This functionality is based on the L2F protocol Internet Engineering Task Force (IETF) draft request for comments (RFC). The L2F protocol focuses on providing a standards-based tunneling mechanism for transporting link-layer frames for example, High-Level Data Link Control (HDLC), async Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or PPP Integrated Services Digital Network (ISDN) of higher-layer protocols. Using such tunnels, it is possible to divorce the location of the initial dialup server from the location at which the dialup protocol connection is terminated and the location at which access to the network is provided (usually a corporate gateway). Tunneling Defined A key component of the virtual dialup service is tunneling, a vehicle for encapsulating packets inside a protocol that is understood at the entry and exit points of a given network. These entry and exit points are defined as tunnel interfaces. The tunnel interface itself is similar to a hardware interface, but is configured in software. Figure 19-2 shows the format in which a packet would traverse the network within a tunnel. Figure 19-2 This is an overview of a tunneling packet format. IP/UDP L2F PPP (Data) Carrier Protocol Encapsulating Protocol Passenger Protocol Tunneling involves three types of protocols. The passenger protocol is the protocol being encapsulated; in a dialup scenario, this protocol could be PPP, SLIP, or text dialog. The encapsulating protocol is used to create, maintain, and tear down the tunnel. Cisco supports several encapsulating protocols, including the L2F protocol, which is used for virtual dialup services. The carrier protocol is used to carry the encapsulated protocol; IP is the first carrier protocol used by the L2F protocol because of its robust routing capabilities, ubiquitous support across different media, and deployment within the Internet Internetworking Technology Overview, June 1999

3 Cisco s Virtual Dialup Services No dependency exists between the L2F protocol and IP. In subsequent releases of the L2F functionality, Frame Relay, X.25 virtual circuits (VCs), and Asynchronous Transfer Mode (ATM) switched virtual circuits (SVCs) could be used as a direct Layer 2 carrier protocol for the tunnel. Tunneling has evolved to become one of the key components in defining and using VPNs. Cisco Systems provides virtual dialup service through a telecommuting form of a VPN. Cisco s Virtual Dialup Services The following terms are defined to fully describe the virtual dialup service that Cisco provides in its Cisco IOS software: Remote user The client who is dialing ISDN/Public Switched Telephone Network (PSTN) from either home or a remote location. NAS The telecommuting device that terminates the dialup calls either over analog (basic telephone service) or digital (ISDN) circuits. Internet service provider (ISP) The ISP, which supplies the dialup services, can provide for services itself through the NAS or can deliver the dialup remote user to a designated corporate gateway. gateway The destination router that provides access to the services the remote user is requesting. The services could be a corporation or even another ISP. Remote users (using either asynchronous PPP or ISDN) access the corporate LAN as if they were dialed directly into the corporate gateway, although their physical dialup is through the ISP NAS. Figure 19-2 gives a topological view of how these conventions would be deployed within a virtual dialup service. Cisco s L2F Implementation The key management requirements of service that are provided by Cisco s L2F implementation are as follows: Neither the remote end system nor its corporate hosts should require any special software to use this service in a secure manner. Authentication as provided by dialup PPP, Challenge Handshake Authentication Protocol (CHAP), or Password Authentication Protocol (PAP), including Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS) solutions, as well as support for smart cards and one-time passwords; the authentication will be manageable by the user independently of the ISP. Addressing will be as manageable as dedicated dialup solutions; the address will be assigned by the remote user s respective corporation, and not by the ISP. Authorization will be managed by the corporation s remote users, as it would be in a direct dialup solution. Accounting will be performed by both the ISP (for billing purposes) and by the user (for chargeback and auditing). These requirements are primarily achieved based on the functionality provided by tunneling the remote user directly to the corporate location using the L2F protocol. In the case of PPP, all Link Control Protocol (LCP) and Network Control Protocol (NCP) negotiations take place at the remote user s corporate location. PPP is allowed to flow from the remote user and terminate at the corporate gateway. Figure 19-3 illustrates this process. Virtual Private Networks (VPNs) 19-3

4 Cisco Systems VPNs Figure 19-3 The remote client establishes a PPP connection with the corporate network to complete the virtual dialup topology. Remote User PSTN PRI NAS ISP/Internet Gateway LAN End-to-End Virtual Dialup Process To illustrate how the virtual dialup service works, the following example describes what might happen when a remote user initiates access. Figure 19-4 gives a step-by-step flow of this end-to-end process. The remote user initiates a PPP connection to an ISP over the PSTN or natively over ISDN. The NAS accepts the connection, and the PPP link is established. (See Figure 19-4, step 1.) 19-4 Internetworking Technology Overview, June 1999

5 Cisco s Virtual Dialup Services Figure 19-4 Eight steps are required for communications between a remote VPN client and a corporate LAN. Gateway 4 Security Server Backbone Infrastructure Remote User ISDN, Basic Telephone Service Cable, Wireless ADSL Home 1 NAS 6 2 Security Server Service Provider 1. Remote user initiates PPP connection, NAS accepts call. 2. NAS identifies remote user. 3. NAS initiates L2F tunnel to desired corporate gateway. 4. gateway authenticates remote user and accepts or declines tunnel. 5. gateway confirms acceptance of call and L2F tunnel. 6. NAS logs acceptance/traffic optional. 7. gateway exchanges PPP negotiations with remote user. IP address can be assigned by corporate gateway at this point. 8. End-to-end data tunneled from remote user and corporate gateway. The ISP authenticates the end system/user using CHAP or PAP. Only the username field is interpreted to determine whether the user requires a virtual dialup service. It is expected that usernames will be structured (for example, or that the ISP will maintain a database mapping users to services. In the case of virtual dialup, the mapping will name a specific endpoint, the corporate gateway. At the time of the first release, this endpoint is the IP address of the corporate gateway known to the public ISP network. (See Figure 19-4, step 2.) Note that if permitted by the organization s security policy, the authorization of the dial-in user at the NAS can be performed only on a domain name within the username field and not on every individual username. This setup can substantially reduce the size of the authorization database. If a virtual dialup service is not required, traditional access to the Internet may be provided by the NAS. All address assignment and authentication would be performed locally by the ISP in this situation. If no tunnel connection currently exists to the desired corporate gateway, one is initiated. The details of such tunnel creation are outside the scope of this specification; L2F requires only that the tunnel media provide point-to-point connectivity. Obvious examples of such media are the User Datagram Virtual Private Networks (VPNs) 19-5

6 Cisco Systems VPNs Protocol (UDP), Frame Relay, ATM, and X.25 VCs. Cisco supports UDP in its first release of the virtual dialup service. Based on UDP using a carrier protocol of IP, any media supporting IP will support the virtual dialup functionality. (See Figure 19-4, step 3.) When the tunnel connection is established, the NAS allocates an unused multiplex ID (MID) and sends a connect indication to notify the corporate gateway of this new dialup session. The MID identifies a particular connection within the tunnel. Each new connection is assigned a MID that is currently unused within the tunnel. The corporate gateway either accepts the connection or rejects it. Rejection may include a reason indication, which may be displayed to the dialup user, after which the call should be disconnected. The initial setup notification may include the authentication information required to allow the corporate gateway to authenticate the user and decide to accept or decline the connection. In the case of CHAP, the setup packet includes the challenge, username, and raw password; for PAP, it includes username and clear text password. The corporate gateway can be configured to use this information to complete its authentication, avoiding an additional cycle of authentication. Note that the authentication takes place at the corporate customer, allowing the corporation to impose its own security and corporate policy on the remote users accessing its network. In this way, the organization does not have to fully trust the authentication that was performed by the ISP. (See Figure 19-4, step 4.) If the corporate gateway accepts the connection, it creates a virtual interface for PPP in a manner analogous to what it would use for a direct-dialed connection. With this virtual interface in place, link-layer frames can pass over this tunnel in both directions. (See Figure 19-4, step 5.) Frames from the remote user are received at the NAS, stripped of any link framing or transparency bytes, encapsulated in L2F, and forwarded over the appropriate tunnel. In the first release, the carrier protocol used by the L2F protocol within the tunnel is IP, requiring the frames to also be encapsulated within IP. The corporate gateway accepts these frames, strips L2F, and processes the frames as normal incoming frames for the appropriate interface and protocol. The virtual interface behaves very much like a hardware interface, except that the hardware in this case is physically located at the ISP NAS. The reverse traffic direction behaves analogously, with the corporate gateway encapsulating the packet in L2F, and the NAS stripping L2F encapsulation before transmitting it out the physical interface to the remote user. In addition, the NAS can optionally log the acceptance of the call and any relevant information with respect to the type of services provided to the remote user, such as duration of call, packets/bytes transferred, and protocol ports accessed. (See Figure 19-4, step 6.) At this point, the connectivity is a point-to-point PPP connection whose endpoints are the remote user s networking application on one end and the termination of this connectivity into the corporate gateway s PPP support on the other. Because the remote user has become simply another dialup client of the corporate gateway access server, client connectivity can now be managed using traditional mechanisms with respect to further authorization, address negotiation, protocol access, accounting, and filtering. (See Figure 19-4, steps 7 and 8.) Because L2F connection notifications for PPP clients contain sufficient information for a corporate gateway to authenticate and initialize its LCP state machine, the remote user is not required to be queried for CHAP authentication a second time, nor is the client required to undergo multiple rounds of LCP negotiation and convergence. These techniques are intended to optimize connection setup and are not intended to circumvent any functions required by the PPP specification Internetworking Technology Overview, June 1999

7 Cisco s Virtual Dialup Services Highlights of Virtual Dialup Service The following sections discuss some of the significant differences between the standard Internet access service and the virtual dialup service with respect to authentication, address allocation, authorization, and accounting. It should be noted that the functionality provided by Cisco s network access servers are intended to provide for both the virtual dialup and traditional dialup services. Authentication/Security In a traditional dialup scenario, the ISP using a NAS in conjunction with a security server follows an authentication process by challenging the remote user for both the username and password. If the remote user passes this phase, the authorization phase can begin. For the virtual dialup service, the ISP pursues authentication to the extent required to discover the user s apparent identity (and by implication, the user s desired corporate gateway). No password interaction is performed at this point. As soon as the corporate gateway is determined, a connection is initiated with the authentication information gathered by the ISP. The corporate gateway completes the authentication by either accepting or rejecting the connection. (For example, the connection is rejected in a PAP request in which the username or password is found to be incorrect.) When the connection is accepted, the corporate gateway can pursue another phase of authentication at the PPP layer. These additional authentication activities are outside the scope of the specification, but might include proprietary PPP extensions or textual challenges carried within a TCP/IP Telnet session. For each L2F tunnel established, L2F tunnel security generates a unique random key to resist spoofing attacks. Within the L2F tunnel, each multiplexed session maintains a sequence number to prevent the duplication of packets. Cisco provides the flexibility of allowing users to implement compression at the client end. In addition, encryption on the tunnel can be done using IP security (IPsec). Authorization When providing a traditional dialup service, the ISP is required to maintain per-user profiles defining the authorization. Thus a security server could interact with the NAS to provide policy-based usage to connecting users, based on their authentication. These policy statements can range from simple source/destination filters for a handful of sites to complex algorithms that determine specific applications, time of day access, and a long list of permitted or denied destinations. This process can become burdensome to the ISP, especially if providing access to remote users on behalf of corporations that require constant change to this policy. In a virtual dialup service, the burden of providing detailed authorization based on policy statements is given directly to the remote user s corporation. By allowing end-to-end connectivity between remote users and their corporate gateway, all authorization can be performed as if the remote users are dialed into the corporate location directly. This setup frees the ISP from having to maintain a large database of individual user profiles based on many different corporations. More importantly, the virtual dialup service becomes more secure for the corporations using it because it allows the corporations to quickly react to changes in their remote user community. Address Allocation For a traditional Internet service, the user accepts that the IP address may be allocated dynamically from a pool of service provider addresses. This model often means that remote users have little or no access to their corporate network s resources because firewalls and security policies deny access to the corporate network from external IP addresses. Virtual Private Networks (VPNs) 19-7

8 Cisco Systems VPNs For the virtual dialup service, the corporate gateway can exist behind the corporate firewall and allocate addresses that are internal (and, in fact, can be RFC 1597 addresses, or non-ip addresses). Because L2F tunnels operate exclusively at the frame layer, the actual policies of such address management are irrelevant to correct virtual dialup service; for all purposes of PPP protocol handling, the dial-in user appears to have connected at the corporate gateway. Accounting The requirement that both the NAS and the corporate gateway provide accounting data can mean that they may count packets, octets, and connection start and stop times. Because virtual dialup is an access service, accounting of connection attempts (in particular, failed connection attempts) is of significant interest. The corporate gateway can reject new connections based on the authentication information gathered by the ISP, with corresponding logging. For cases in which the corporate gateway accepts the connection and then continues with further authentication, the corporate gateway might subsequently disconnect the client. For such scenarios, the disconnection indication back to the ISP can also include a reason. Because the corporate gateway can decline a connection based on the authentication information collected by the ISP, accounting can easily draw a distinction between a series of failed connection attempts and a series of brief successful connections. Without this facility, the corporate gateway must always accept connection requests, and would need to exchange numerous PPP packets with the remote system Internetworking Technology Overview, June 1999

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application Table of Contents L2TP Configuration 1 L2TP Overview 1 Introduction 1 Typical L2TP Networking Application 1 Basic Concepts of L2TP 2 L2TP Tunneling Modes and Tunnel Establishment Process 4 L2TP Features

More information

isco Cisco PPPoE Baseline Architecture for the Cisco UAC

isco Cisco PPPoE Baseline Architecture for the Cisco UAC isco Cisco PPPoE Baseline Architecture for the Cisco UAC Table of Contents Cisco PPPoE Baseline Architecture for the Cisco UAC 6400...1...1 Introduction...1 Assumption...1 Technology Brief...2 Advantages

More information

Cisco PPPoE Baseline Architecture for the Cisco UAC 6400

Cisco PPPoE Baseline Architecture for the Cisco UAC 6400 Cisco PPPoE Baseline Architecture for the Cisco UAC 6400 Document ID: 12915 Contents Introduction Assumption Technology Brief Advantages and Disadvantages of PPPoE Architecture Advantages Disadvantages

More information

PPPoA Baseline Architecture

PPPoA Baseline Architecture PPPoA Baseline Architecture Document ID: 12914 Contents Introduction Assumption Technology Brief Advantages and Disadvantages of PPPoA Architecture Advantages Disadvantages Implementation Considerations

More information

A device that bridges the wireless link on one side to the wired network on the other.

A device that bridges the wireless link on one side to the wired network on the other. GLOSSARY A Access point Analog Channel ARP ATM ATO A device that bridges the wireless link on one side to the wired network on the other. A circuit-switched communication path intended to carry 3.1 KHz

More information

Cisco How Virtual Private Networks Work

Cisco How Virtual Private Networks Work Table of Contents How Virtual Private Networks Work...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 Background Information...1 What Makes a VPN?...2 Analogy:

More information

CS 393 Network Security. Nasir Memon Polytechnic University Module 13 Virtual Private Networks

CS 393 Network Security. Nasir Memon Polytechnic University Module 13 Virtual Private Networks CS 393 Network Security Nasir Memon Polytechnic University Module 13 Virtual Private Networks Course Logistics HW due Monday. HW 6 posted. Due in a week. Questions regarding homework are best answered

More information

PPP over Frame Relay

PPP over Frame Relay The feature allows a router to establish end-to-end Point-to-Point Protocol (PPP) sessions over Frame Relay. Finding Feature Information, page 1 Prerequisites for, page 1 Restrictions for, page 2 Information

More information

User Guide IP Connect CSD

User Guide IP Connect CSD The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Wireless Maingate AB shall have no liability for any error or damages

More information

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP) VPN Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP) Agenda VPN Classical Approach Overview IP Based Solutions IP addresses non overlapping IP addresses overlapping MPLS-VPN VPDN RAS

More information

CCNA 4 - Final Exam (A)

CCNA 4 - Final Exam (A) CCNA 4 - Final Exam (A) 1. A network administrator is asked to design a system to allow simultaneous access to the Internet for 250 users. The ISP for this network can only supply five public IPs. What

More information

Cisco 5921 Embedded Services Router

Cisco 5921 Embedded Services Router Data Sheet Cisco 5921 Embedded Services Router The Cisco 5921 Embedded Services Router (ESR) is a Cisco IOS software router application. It is designed to operate on small, low-power, Linux-based platforms

More information

Implementing Enterprise WAN Links

Implementing Enterprise WAN Links Implementing Enterprise WAN Links Introducing Routing and Switching in the Enterprise Chapter 7 Version 4.0 1 Objectives Describe the features and benefits of common WAN connectivity options. Compare and

More information

Secure VPNs for Enterprise Networks

Secure VPNs for Enterprise Networks Secure Virtual Private Networks for Enterprise February 1999 Secure VPNs for Enterprise Networks This document provides an overview of Virtual Private Network (VPN) concepts using the. Benefits of using

More information

Configure ISDN Connectivity between Remote Sites

Configure ISDN Connectivity between Remote Sites Case Study 1 Configure ISDN Connectivity between Remote Sites Cisco Networking Academy Program CCNP 2: Remote Access v3.1 Objectives In this case study, the following concepts are covered: Asynchronous

More information

L2F Case Study Overview

L2F Case Study Overview L2F Case Study Overview Introduction This case study describes how one Internet service provider (ISP) plans, designs, and implements an access virtual private network (VPN) by using Layer 2 Forwarding

More information

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Question Number (ID) : 1 (jaamsp_mngnwi-088) You are the administrator for medium-sized network with many users who connect remotely. You have configured a server running Microsoft Windows Server 2003,

More information

RADIUS Tunnel Preference for Load Balancing

RADIUS Tunnel Preference for Load Balancing RADIUS Tunnel Preference for Load Balancing and Fail-Over Finding Feature Information RADIUS Tunnel Preference for Load Balancing and Fail-Over Last Updated: July 18, 2011 The RADIUS Tunnel Preference

More information

RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements

RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements RADIUS Attribute 66 Tunnel-Client-Endpoint The RADIUS Attribute 66 (Tunnel-Client-Endpoint) feature allows the hostname of the network access server (NAS) to be specified--rather than the IP address of

More information

Overview. RADIUS Protocol CHAPTER

Overview. RADIUS Protocol CHAPTER CHAPTER 1 The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message types, and using Cisco Access Registrar as a proxy server. Cisco Access Registrar is a RADIUS

More information

Universal Port Resource Pooling for Voice and Data Services

Universal Port Resource Pooling for Voice and Data Services Universal Port Resource Pooling for Voice and Data Services Feature History Release 12.2(2)XA 12.2(2)XB1 12.2(11)T Description This feature was introduced on the Cisco AS5350 and AS5400. This feature was

More information

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline Course Number: NET 226 Course Title: Routing and Switching II Class Hours: 1 Lab Hours: 4 Credit Hours: 3 Course Description: This course introduces WAN theory and design, WAN technology, PPP, Frame Relay,

More information

CCNP 2: Remote Access

CCNP 2: Remote Access Scope and Sequence CCNP 2: Remote Access Cisco Networking Academy Program Version 3.1 Table of Contents CCNP 2: REMOTE ACCESS...1 TABLE OF CONTENTS...2 TARGET AUDIENCE...3 PREREQUISITES...3 COURSE DESCRIPTION...3

More information

Point-to-Point Protocol (PPP)

Point-to-Point Protocol (PPP) Point-to-Point Protocol (PPP) Accessing the WAN Chapter 2 Version 4.0 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Describe the fundamental concepts of point-to-point serial

More information

Point-to-Point Protocol (PPP) Accessing the WAN Chapter 2

Point-to-Point Protocol (PPP) Accessing the WAN Chapter 2 Point-to-Point Protocol (PPP) Accessing the WAN Chapter 2 ITE I Chapter 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Describe the fundamental concepts of point-to-point serial

More information

WAN Technologies CCNA 4

WAN Technologies CCNA 4 WAN Technologies CCNA 4 Overview Note: Most of this will be described in more detail in later chapters. Differentiate between a LAN and WAN Identify the devices used in a WAN List WAN standards Describe

More information

Configuring Security on the GGSN

Configuring Security on the GGSN CHAPTER 12 This chapter describes how to configure security features on the gateway GPRS support node (GGSN), including Authentication, Authorization, and Accounting (AAA), and RADIUS. IPSec on the Cisco

More information

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security Operating System Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security White Paper Abstract The Microsoft Windows operating system includes technology to secure communications

More information

Configuring L2TP over IPsec

Configuring L2TP over IPsec CHAPTER 62 This chapter describes how to configure L2TP over IPsec on the ASA. This chapter includes the following topics: Information About L2TP over IPsec, page 62-1 Licensing Requirements for L2TP over

More information

Networking interview questions

Networking interview questions Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected

More information

Configuring PPP over ATM with NAT

Configuring PPP over ATM with NAT CHAPTER 4 The Cisco Secure Router 520 ADSL-over-POTS and Cisco Secure Router 520 ADSL-over-ISDN routers support Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA) clients and network address

More information

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS The RADIUS security system is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication

More information

Configuring Virtual Private Networks

Configuring Virtual Private Networks Configuring Virtual Private Networks This chapter describes how to configure, verify, maintain, and troubleshoot a Virtual Private Network (VPN). It includes the following main sections: VPN Technology

More information

RADIUS Tunnel Attribute Extensions

RADIUS Tunnel Attribute Extensions The feature allows a name to be specified (other than the default) for the tunnel initiator and the tunnel terminator in order to establish a higher level of security when setting up VPN tunneling. Finding

More information

TSIN02 - Internetworking

TSIN02 - Internetworking TSIN02 - Internetworking Literature: Lecture 11: SNMP and AAA Forouzan, chapter 21 Diameter next generation's AAA protocol by Håkan Ventura, sections 2-3.3.6 RFC2881 (optional extra material) Outline:

More information

Configuring Dial-on-Demand Routing

Configuring Dial-on-Demand Routing C H A P T E R 7 Configuring Dial-on-Demand Routing This chapter describes how to configure your communication server for dial-on-demand routing (DDR) and dial backup. For a complete description of the

More information

6.1. WAN Type. WAN types include the following:

6.1. WAN Type. WAN types include the following: 6.1. WAN Type WAN types include the following: Method Point to Point Circuit Switching Packet Switching Description A point to point connection is a single, pre established path from the customer's network

More information

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964 The requirements for a future all-digital-data distributed network which provides common user service for a wide range of users having different requirements is considered. The use of a standard format

More information

Server Operating System

Server Operating System Server Operating System White Paper Microsoft Virtual Private Networking: Using Point-to- Point Tunneling Protocol for Low-Cost, Secure, Remote Access Across the Internet 1996 Microsoft Corporation. All

More information

Operation Manual Security. Table of Contents

Operation Manual Security. Table of Contents Table of Contents Table of Contents Chapter 1 Network Security Overview... 1-1 1.1 Introduction to the Network Security Features Provided by CMW... 1-1 1.2 Hierarchical Line Protection... 1-2 1.3 RADIUS-Based

More information

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides detailed accounting information and flexible

More information

WAN Technology & Design. Dr. Nawaporn Wisitpongphan

WAN Technology & Design. Dr. Nawaporn Wisitpongphan WAN Technology & Design Dr. Nawaporn Wisitpongphan 1 WAN Connection Modules 2 WAN Comparison 3 Integrated Services Digital Network (ISDN) All-digital phone line connection Technology since 1980s Allow

More information

Autosense for ATM PVCs and MUX SNAP Encapsulation

Autosense for ATM PVCs and MUX SNAP Encapsulation Autosense for ATM PVCs and MUX SNAP Encapsulation The PPPoA/PPPoE Autosense for ATM PVCs feature enables a router to distinguish between incoming PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE) over

More information

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Ingate Firewall & SIParator Product Training. SIP Trunking Focused Ingate Firewall & SIParator Product Training SIP Trunking Focused Common SIP Applications SIP Trunking Remote Desktop Ingate Product Training Common SIP Applications SIP Trunking A SIP Trunk is a concurrent

More information

thus, the newly created attribute is accepted if the user accepts attribute 26.

thus, the newly created attribute is accepted if the user accepts attribute 26. Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

Configuring PPP Callback

Configuring PPP Callback Configuring PPP Callback This chapter describes how to configure PPP callback for dial-on-demand routing (DDR). It includes the following main sections: PPP Callback for DDR Overview How to Configure PPP

More information

Wireless LAN, WLAN Security, and VPN

Wireless LAN, WLAN Security, and VPN Wireless LAN, WLAN Security, and VPN 麟瑞科技台南辦事處技術經理張晃崚 WLAN & VPN FAQ What is WLAN?802.11a?802.11b?802.11g? Which standard (product) should we use? How to deploy WLAN? How to block intruders? How to authenticate

More information

RADIUS Attributes. RADIUS IETF Attributes

RADIUS Attributes. RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

Configuring Client-Initiated Dial-In VPDN Tunneling

Configuring Client-Initiated Dial-In VPDN Tunneling Configuring Client-Initiated Dial-In VPDN Tunneling Client-initiated dial-in virtual private dialup networking (VPDN) tunneling deployments allow remote users to access a private network over a shared

More information

PPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM

PPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM This feature module describes the PPP over Ethernet (PPPoE) on ATM feature. The feature provides the ability to connect a network of hosts over a simple bridging-access device to a remote access concentrator.

More information

PPP. Point-to-Point Protocol

PPP. Point-to-Point Protocol PPP Point-to-Point Protocol 1 Introduction One of the most common types of WAN connection is the point-to-point connection. Point-to-point connections are used to connect LANs to service provider WANs,

More information

Virtual private networks

Virtual private networks Technical papers Virtual private networks Virtual private networks Virtual private networks (VPNs) offer low-cost, secure, dynamic access to private networks. Such access would otherwise only be possible

More information

Cisco 5921 Embedded Services Router

Cisco 5921 Embedded Services Router Data Sheet Cisco 5921 Embedded Services Router The Cisco 5921 Embedded Services Router (ESR) is a Cisco IOS software router. It is designed to operate on small, low-power, Linux-based platforms to extend

More information

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT Hüseyin ÇOTUK Information Technologies hcotuk@etu.edu.tr Ahmet ÖMERCİOĞLU Information Technologies omercioglu@etu.edu.tr Nurettin ERGİNÖZ Master Student

More information

PPP Configuration Options

PPP Configuration Options PPP Configuration Options 1 PPP Configuration Options PPP can be configured to support various functions including: Authentication using either PAP or CHAP Compression using either Stacker or Predictor

More information

Data Link Protocols. TCP/IP Suite and OSI Reference Model

Data Link Protocols. TCP/IP Suite and OSI Reference Model Data Link Protocols Relates to Lab. This module covers data link layer issues, such as local area networks (LANs) and point-to-point links, Ethernet, and the Point-to-Point Protocol (PPP). 1 TCP/IP Suite

More information

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions [MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open

More information

Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network

Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network Deployment Guide Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network The Cisco Service Oriented Network Architecture (SONA) framework helps enterprise customers evolve their

More information

Configuring X.25 on ISDN Using AO/DI

Configuring X.25 on ISDN Using AO/DI Configuring X.25 on ISDN Using AO/DI The chapter describes how to configure the X.25 on ISDN using the Always On/Dynamic ISDN (AO/DI) feature. It includes the following main sections: AO/DI Overview How

More information

Access Server Dial In IP/PPP Configuration With Dedicated V.120 PPP

Access Server Dial In IP/PPP Configuration With Dedicated V.120 PPP Access Server Dial In IP/PPP Configuration With Dedicated V.120 PPP Document ID: 6306 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information How V.120 Affects

More information

VPN. Virtual Private Network. Mario Baldi. Synchrodyne Networks, Inc. VPN - 1 M.

VPN. Virtual Private Network. Mario Baldi. Synchrodyne Networks, Inc.  VPN - 1 M. VPN Virtual Private Network Mario Baldi Synchrodyne Networks, Inc. http://www.synchrodyne.com/baldi VPN - 1 M. Baldi: see page 2 Nota di Copyright This set of transparencies, hereinafter referred to as

More information

thus, the newly created attribute is accepted if the user accepts attribute 26.

thus, the newly created attribute is accepted if the user accepts attribute 26. Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values

RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values First Published: September 23, 2005 Last Updated: August 18, 2010 The Internet Engineering Task Force (IETF) draft standard

More information

RADIUS Tunnel Preference for Load Balancing and Fail-Over

RADIUS Tunnel Preference for Load Balancing and Fail-Over RADIUS Tunnel Preference for Load Balancing and Fail-Over Feature History for RADIUS Tunnel Preference for Load Balancing and Fail-Over Release Modification 12.2(4)T This feature was introduced. 12.2(11)T

More information

Configuring Resource Pool Management

Configuring Resource Pool Management Configuring Resource Pool Management This chapter describes the Cisco Resource Pool Management (RPM) feature. It includes the following main sections: RPM Overview How to Configure RPM Verifying RPM Components

More information

RADIUS Vendor-Proprietary Attributes

RADIUS Vendor-Proprietary Attributes RADIUS Vendor-Proprietary Attributes Last Updated: January 17, 2012 The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server

More information

Introduction to WAN Technologies

Introduction to WAN Technologies Introduction to WAN Technologies From DocWiki This article introduces the various protocols and technologies used in wide-area network (WAN) environments. Topics summarized here include point-to-point

More information

Implementing ADSL and Deploying Dial Access for IPv6

Implementing ADSL and Deploying Dial Access for IPv6 Implementing ADSL and Deploying Dial Access for IPv6 Last Updated: July 31, 2012 Finding Feature Information, page 1 Restrictions for Implementing ADSL and Deploying Dial Access for IPv6, page 1 Information

More information

HP VSR1000 Virtual Services Router

HP VSR1000 Virtual Services Router HP VSR1000 Virtual Services Router Layer 2 - WAN Access Configuration Guide Part number: 5998-6023 Software version: VSR1000_HP-CMW710-R0202-X64 Document version: 6W100-20140418 Legal and notice information

More information

Virtual Private Networks.

Virtual Private Networks. Virtual Private Networks thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Virtual Private Networks VPN Basics Protocols (IPSec, PPTP, L2TP) Objectives of VPNs Earlier Companies

More information

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes Overview and RADIUS IETF Attributes RADIUS Attributes Overview and RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements

More information

RADIUS - QUICK GUIDE AAA AND NAS?

RADIUS - QUICK GUIDE AAA AND NAS? RADIUS - QUICK GUIDE http://www.tutorialspoint.com/radius/radius_quick_guide.htm Copyright tutorialspoint.com AAA AND NAS? Before you start learning about Radius, it is important that you understand: What

More information

Table of Contents. Cisco RFC1483 Bridging Baseline Architecture

Table of Contents. Cisco RFC1483 Bridging Baseline Architecture Table of Contents RFC1483 Bridging Baseline Architecture...1 Introduction...1 Assumption...1 Technology Brief...1 Advantages and Disadvantages of RFC1483 Bridging...1 Advantages...2 Disadvantages...2 Implementation

More information

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents Table of Contents Table of Contents... 1-1 1.1 AAA/RADIUS/HWTACACS Over... 1-1 1.1.1 Introduction to AAA... 1-1 1.1.2 Introduction to RADIUS... 1-3 1.1.3 Introduction to HWTACACS... 1-9 1.1.4 Protocols

More information

Configuring PPP over Ethernet with NAT

Configuring PPP over Ethernet with NAT CHAPTER 3 The Cisco Secure Router 520 Ethernet-to-Ethernet routers support Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT). Multiple PCs can be connected to

More information

Vendor-Proprietary Attribute

Vendor-Proprietary Attribute RADIUS s The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server. However, some vendors have extended

More information

So Your Customer Wants a VPN. Howard C. Berkowitz

So Your Customer Wants a VPN. Howard C. Berkowitz NANOG 16 -- May 1999 -- Eugene, OR So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 1 Issues Understanding Requirements Managing Expectations Defining your

More information

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang School of Computer Sciences Universiti Sains Malaysia Pulau Pinang Information Security & Assurance Assignment 2 White Paper Virtual Private Network (VPN) By Lim Teck Boon (107593) Page 1 Table of Content

More information

ABSTRACT. that it avoids the tolls charged by ordinary telephone service

ABSTRACT. that it avoids the tolls charged by ordinary telephone service ABSTRACT VoIP (voice over IP - that is, voice delivered using the Internet Protocol) is a term used in IP telephony for a set of facilities for managing the delivery of voice information using the Internet

More information

Virtual Private Networks

Virtual Private Networks Chapter 12 Virtual Private Networks Introduction Business has changed in the last couple of decades. Companies now have to think about having a global presence, global marketing, and logistics. Most of

More information

ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS

ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS P. Fidry, V. Rakotomanana, C. Ausanneau Pierre.fidry@alcatel-lucent.fr Alcatel-Lucent, Centre de Villarceaux, 91620, Nozay, France Abstract: As a consequence of

More information

Configuring Virtual Asynchronous Traffic over ISDN

Configuring Virtual Asynchronous Traffic over ISDN Configuring Virtual Asynchronous Traffic over ISDN Cisco IOS software offers two solutions to send virtual asynchronous traffic over ISDN: Using International Telecommunication Union Telecommunication

More information

Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs

Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs Feature History for Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs Release Modification 12.2(15)B This feature was introduced.

More information

Computer Communications and Network Basics p. 1 Overview of Computer Communications and Networking p. 2 What Does Computer Communications and

Computer Communications and Network Basics p. 1 Overview of Computer Communications and Networking p. 2 What Does Computer Communications and Computer Communications and Network Basics p. 1 Overview of Computer Communications and Networking p. 2 What Does Computer Communications and Networking Technologies Mean? p. 3 What Is a Computer Network?

More information

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7)

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7) HP MSR Router Series Layer 2 - WAN Access Configuration Guide(V7) Part number: 5998-6465 Software version: CMW710-R0106 Document version: 6PW101-20140807 Legal and notice information Copyright 2014 Hewlett-Packard

More information

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address Document ID: 71118 Contents Introduction Prerequisites Requirements Components

More information

Review on protocols of Virtual Private Network

Review on protocols of Virtual Private Network Review on protocols of Virtual Private Network Shaikh Shahebaz 1, Sujay Madan 2, Sujata Magare 3 1 Student, Dept. Of MCA [JNEC College] Cidoco N-6, Aurangabad, Maharashtra, India 2 Student Dept. of MCA

More information

Telstra Mobile SMS ACCESS MANAGER Technical Guide.

Telstra Mobile SMS ACCESS MANAGER Technical Guide. Telstra Mobile SMS ACCESS MANAGER Technical Guide. Technology solutions that let you do what you do best. www.telstra.com 2 Table of Contents 1. Introduction 4 2. Selection of Access Method 4 3. Access

More information

Network Working Group

Network Working Group Network Working Group Request for Comments: 2637 Category: Informational K. Hamzeh Ascend Communications G. Pall Microsoft Corporation W. Verthein 3Com J. Taarud Copper Mountain Networks W. Little ECI

More information

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways Firewalls 1 Overview In old days, brick walls (called firewalls ) built between buildings to prevent fire spreading from building to another Today, when private network (i.e., intranet) connected to public

More information

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

ETSF05/ETSF10 Internet Protocols Network Layer Protocols ETSF05/ETSF10 Internet Protocols Network Layer Protocols 2016 Jens Andersson Agenda Internetworking IPv4/IPv6 Framentation/Reassembly ICMPv4/ICMPv6 IPv4 to IPv6 transition VPN/Ipsec NAT (Network Address

More information

Analysis of VPN Protocols

Analysis of VPN Protocols Analysis of VPN Protocols ECE 646 Final Project Presentation Tamer Mabrouk Touhidur Satiar Overview VPN Definitions Emergence of VPN Concept of Tunneling VPN Classification Comparison of Protocols Customer

More information

CCNA 4 - Final Exam Answers

CCNA 4 - Final Exam Answers CCNA 4 - Final Exam Answers 1 Which of the following describes the roles of devices in a WAN? (Choose three.) *** A CSU/DSU terminates a digital local loop. A modem terminates a digital local loop. A CSU/DSU

More information

HPE FlexNetwork MSR Router Series

HPE FlexNetwork MSR Router Series HPE FlexNetwork MSR Router Series Comware 7 Layer 2 - WAN Access Configuration Guides Part number: 5998-8783 Software version: CMW710-E0407 Document version: 6W100-20160526 Copyright 2016 Hewlett Packard

More information

TECHNICAL REPORT. CPE Architecture Recommendations for Access to Legacy Data Networks. DSL Forum TR-032. May 2000

TECHNICAL REPORT. CPE Architecture Recommendations for Access to Legacy Data Networks. DSL Forum TR-032. May 2000 TECHNICAL REPORT DSL Forum TR-032 CPE Architecture Recommendations for Access to Legacy Data s May 2000 Abstract: This document describes four protocol architectures for connecting a remote ADSL termination

More information

Mobile MOUSe ROUTING AND SWITCHING FUNDAMENTALS ONLINE COURSE OUTLINE

Mobile MOUSe ROUTING AND SWITCHING FUNDAMENTALS ONLINE COURSE OUTLINE Mobile MOUSe ROUTING AND SWITCHING FUNDAMENTALS ONLINE COURSE OUTLINE COURSE TITLE ROUTING AND SWITCHING FUNDAMENTALS COURSE DURATION 16 Hour(s) of Self-Paced Interactive Training COURSE OVERVIEW In the

More information

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes Overview and RADIUS IETF Attributes RADIUS Attributes Overview and RADIUS IETF Attributes First Published: March 19, 2001 Last Updated: September 23, 2009 Remote Authentication Dial-In User Service (RADIUS) attributes are used to define

More information

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN This chapter describes how to configure /IKEv1 on the ASA. About /IKEv1 VPN, on page 1 Licensing Requirements for, on page 3 Prerequisites for Configuring, on page 4 Guidelines and Limitations, on page

More information

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology Versatile central manageable VPN Client Suite for Linux Central Management and Network Access Control Compatible with VPN gateways (IPsec Standard) Integrated, dynamic personal firewall FIPS Inside Fallback

More information

2001, Cisco Systems, Inc. All rights reserved. Copyright 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.

2001, Cisco Systems, Inc. All rights reserved. Copyright 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID. 3001_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved. 1 Introduction to IP Mobility Session 3001_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved. 3 Agenda IP Mobility Overview Terminology

More information